THREAT ALERT

Daily vulnerability intelligence for defenders – fresh CVEs with exploitability signals, patch status, and action-oriented priorities from 17 sources.

CVEs published

Track vulnerabilities that matter to your stack

Personalized alerts, dashboards, and weekly digests – free.

Trending Now

Critical Watch

Attack Technique Trend

Prediction based on ZDI Disclosures & CVE data · 30 days

Analytics

Vendor Today – Quick Filter

Techniques

results

Sort:

Base Score

Vector String

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

0 | 3.9| 6.9| 8.9| 10

NONE LOW MEDIUM HIGH CRITICAL

CVSS Filter – CVEs match

No CVEs match the selected criteria

Browse older vulnerabilities in Archive

Live Feed auto-refresh 60s

Vulnerability Intelligence — February 26, 2026

172 CVEs tracked today. 12 Critical, 51 High, 86 Medium, 11 Low.

CVE-2026-28215 CRITICAL CVSS 9.1
Unauthenticated infrastructure overwrite in Hoppscotch API development ecosystem before 2026.2.0. Attackers can overwrite the entire infrastructure configuration. PoC available.

Github Hoppscotch
CVE-2026-28213 CRITICAL CVSS 9.8
Information disclosure in EverShop e-commerce platform before 2.1.1 through the Forgot Password functionality. API responses reveal sensitive information when invalid data is submitted.

Information Disclosure Evershop
CVE-2026-27975 CRITICAL CVSS 9.8
Unauthenticated remote code execution in Ajenti server admin panel before 2.2.13. Unauthenticated users can gain full server access. Patch available.

Linux Ajenti
CVE-2026-27966 CRITICAL CVSS 9.8
Code injection in Langflow CSV Agent node before 1.8.0. The node hardcodes allow_dangerous_code=True, enabling arbitrary code execution through crafted CSV files. EPSS 0.41% with PoC and patch available.

Python RCE Command Injection AI / ML Langflow
CVE-2026-27965 CRITICAL CVSS 9.9
Command injection in Vitess MySQL clustering system before 23.0.3/22.0.4. Users with read/write access to the backup store can achieve code execution. Patch available.

MySQL Vitess Suse
CVE-2026-27941 CRITICAL CVSS 9.9
Supply chain attack vector in OpenLIT GitHub Actions workflows. The pull_request_target trigger with checkout enables malicious PRs to execute code in the context of the base repository. PoC and patch available.

Github AI / ML Openlit Software Development Kit
CVE-2026-27812 CRITICAL CVSS 9.1
Improper output encoding in Sub2API AI API gateway allows injection attacks. The platform distributes AI API quotas without properly encoding output.

XSS AI / ML Sub2api
CVE-2026-27809 CRITICAL CVSS 9.1
Integer overflow in psd-tools Python library before 1.12.2 when processing malformed RLE-compressed PSD files leads to heap overflow. PoC and patch available.

Adobe Python Denial Of Service Psd Tools
CVE-2026-27804 CRITICAL CVSS 9.1
Weak cryptographic algorithm in Parse Server before 8.6.3/9.1.1-alpha.4 allows attackers to bypass security mechanisms. Patch available.

Node.js Parse Server
CVE-2026-27510 CRITICAL CVSS 9.6
Remote control vulnerability in Unitree Go2 robot dog firmware 1.1.7-1.1.11. The companion Android app allows remote attackers to take control of the robot. PoC available.

Android Python RCE SQLi Go2 Firmware
CVE-2026-22207 CRITICAL CVSS 9.3
Broken access control in OpenViking through 0.1.18 allows unauthenticated attackers to gain full system access.

Authentication Bypass
CVE-2025-50857 CRITICAL CVSS 9.8
Directory traversal in ZenTaoPMS v18.11 through v21.6.beta allows arbitrary code execution through /module/ai/control.php. EPSS 0.76%.

PHP Path Traversal AI / ML
CVE-2026-28279 HIGH CVSS 7.3
Remote code execution in osctrl prior to version 0.5.0 allows authenticated administrators to inject arbitrary OS commands through the hostname parameter during environment configuration, which are then executed on all endpoints enrolling via the compromised environment. The injected commands execute with root/SYSTEM privileges before osquery installation, providing complete system compromise with minimal audit trails. A patch is available in version 0.5.0 and later.

RCE Command Injection Osctrl Suse
CVE-2026-28276 HIGH CVSS 7.5
Unauthenticated access to uploaded files in Initiative project management platform prior to version 0.32.2 allows remote attackers to retrieve sensitive documents by directly accessing the unprotected /uploads/ directory. The vulnerability stems from missing authentication and authorization controls on file serving, enabling disclosure of confidential project data without requiring any credentials. Initiative versions 0.32.2 and later contain patches to restrict access to uploaded documents.

Authentication Bypass Information Disclosure Initiative
CVE-2026-28275 HIGH CVSS 8.1
Initiative project management platform versions before 0.32.4 fail to revoke JWT tokens when users change their passwords, allowing authenticated attackers with knowledge of old credentials to maintain API access through unexpired tokens. An attacker can exploit this to access protected endpoints and sensitive project data even after legitimate password changes. Public exploit code exists for this vulnerability.

Information Disclosure Initiative
CVE-2026-28274 HIGH CVSS 8.7
Stored XSS in Initiative project management platform versions before 0.32.4 allows authenticated users with upload permissions to execute arbitrary JavaScript by uploading malicious HTML files that are served without sandboxing under the application's origin. An attacker can exploit this to steal authentication tokens, session cookies, and other sensitive data from other users, or trick them into executing malicious scripts by sharing direct file links. Public exploit code exists and no patch is currently available.

XSS Initiative
CVE-2026-28216 HIGH CVSS 8.3
Hoppscotch prior to version 2026.2.0 contains authorization bypass vulnerabilities in its environment management APIs that allow any authenticated user to read, modify, or delete other users' environments without ownership validation. The affected mutations lack proper user identity verification, enabling attackers to access stored API keys, authentication tokens, and secrets contained within targeted environments. Public exploit code exists for this vulnerability and no patch is currently available.

Information Disclosure Hoppscotch
CVE-2026-28211 HIGH CVSS 7.8
Arbitrary code execution in NVDA Dev & Test Toolbox versions 2.0-8.0 through unsafe evaluation of Python expressions embedded in log files. An attacker can trick users into opening a malicious log file and reading it with the add-on's log reader commands, causing arbitrary code execution under the user's privileges without requiring elevated permissions or user interaction beyond opening the file.

Python
CVE-2026-28138 HIGH CVSS 7.2
Stylemix uListing versions 2.2.0 and earlier contain an unsafe deserialization vulnerability that enables object injection attacks, allowing authenticated attackers with high privileges to execute arbitrary code on affected systems. With no available patch, this vulnerability presents a significant risk to organizations running vulnerable versions of the plugin. The network-accessible nature of the flaw (CVSS 7.2) means exploitation requires only valid credentials to trigger the attack.

Deserialization
CVE-2026-28136 HIGH CVSS 7.6
The WP SMS plugin for WordPress through version 6.9.12 contains an SQL injection vulnerability that allows high-privileged authenticated users to manipulate database queries and extract sensitive information. An attacker with administrative credentials could exploit this to read arbitrary data from the WordPress database, potentially compromising user information and site configuration. No patch is currently available for this vulnerability.

WordPress SQLi
CVE-2026-27976 HIGH CVSS 8.8
Zed, a code editor, has an extension installer allows tar/gzip downloads. [CVSS 8.8 HIGH]

RCE Zed
CVE-2026-27969 HIGH CVSS 8.8
Path traversal in Vitess backup manifest handling allows authenticated attackers with access to backup storage to write arbitrary files to any location during restore operations, potentially achieving remote code execution on production MySQL deployments. An attacker can manipulate backup manifests to extract files outside intended directories, gaining unauthorized access to sensitive data and the ability to execute arbitrary commands in the production environment. Patches are available for versions 23.0.3 and 22.0.4.

MySQL Path Traversal Vitess Suse
CVE-2026-27967 HIGH CVSS 7.1
Zed code editor versions before 0.225.9 fail to properly validate symbolic links in Agent file tools, allowing attackers to read and write arbitrary files outside the project directory and bypass workspace boundary protections. This vulnerability can expose sensitive user data to language models and leak private files despite configured exclusions. Public exploit code exists and no patch is currently available.

Path Traversal AI / ML Zed
CVE-2026-27961 HIGH CVSS 8.8
Authenticated attackers can execute arbitrary code on Agenta API servers through server-side template injection in the evaluator template rendering functionality, affecting self-hosted and managed platform deployments prior to version 0.86.8. The vulnerability requires valid credentials but allows complete compromise of the affected server with high confidentiality, integrity, and availability impact. Organizations running Agenta should upgrade to version 0.86.8 or later immediately.

Code Injection AI / ML Agenta
CVE-2026-27959 HIGH CVSS 7.5
Host header injection in Koa's ctx.hostname API (versions prior to 2.16.4 and 3.1.2) allows remote attackers to inject arbitrary hostnames through malformed Host headers containing @ symbols, affecting applications that use this API for security-sensitive operations like URL generation, password reset links, and email verification. Public exploit code exists for this vulnerability. Applications relying on ctx.hostname for routing decisions or generating user-facing URLs are at risk of credential theft, account compromise, and phishing attacks.

Node.js Koa Redhat
CVE-2026-27952 HIGH CVSS 8.8
Arbitrary code execution in Agenta-API prior to version 0.48.1 allows authenticated users to escape the RestrictedPython sandbox through unsafe whitelisting of the numpy package, enabling execution of arbitrary system commands on the API server. The vulnerability leverages numpy.ma.core.inspect to access Python introspection utilities and bypass sandbox restrictions. Public exploit code exists for this vulnerability, and no patch is currently available.

Python AI / ML Agenta
CVE-2026-27942 HIGH CVSS 7.5
Stack overflow denial of service in fast-xml-parser versions prior to 5.3.8 occurs when the XML builder is used with the preserveOrder option enabled, causing the application to crash. An attacker can trigger this vulnerability remotely by sending specially crafted XML input, resulting in service unavailability for applications using the affected library. A patch is available in version 5.3.8 and later.

Stack Overflow Denial Of Service Fast Xml Parser Redhat
CVE-2026-27938 HIGH CVSS 7.7
Arbitrary command execution in WPGraphQL's GitHub Actions workflow allows attackers with pull request creation privileges to inject shell commands through unvalidated pull request body content, potentially compromising the build environment and repository integrity. The vulnerability affects WPGraphQL versions prior to 2.9.1 and requires low privileges and user interaction to exploit. No patch is currently available for affected deployments.

WordPress Github Command Injection
CVE-2026-27904 HIGH CVSS 7.5
Minimatch versions prior to 10.2.3 (and earlier affected versions) suffer from ReDoS vulnerabilities in nested extglob patterns that generate regexps with catastrophic backtracking, allowing remote attackers to cause denial of service with minimal input. A 12-byte glob pattern like `*(*(*(a|b)))` combined with an 18-byte non-matching string can hang the application for 7+ seconds, with larger patterns stalling for minutes. Public exploit code exists and no patch is currently available, making this a critical risk for any application using the default minimatch API.

Denial Of Service Minimatch Redhat Suse
CVE-2026-27903 HIGH CVSS 7.5
Minimatch versions before 3.1.3 through 10.2.3 suffer from catastrophic backtracking in glob pattern matching when processing multiple GLOBSTAR segments, allowing attackers who control glob patterns to trigger exponential time complexity and cause denial of service. Public exploit code exists for this vulnerability, and affected Node.js applications using vulnerable Minimatch versions are at immediate risk. No patch is currently available, requiring users to upgrade to patched versions or implement input validation as a mitigation.

Node.js Minimatch Redhat
CVE-2026-27899 HIGH CVSS 8.8
Privilege escalation in WireGuard Portal prior to version 2.1.3 allows authenticated non-admin users to gain full administrator access by modifying their own user profile with an IsAdmin flag set to true. The vulnerability exists because the server fails to properly validate and restrict the IsAdmin field during profile updates, allowing the privilege change to persist after re-authentication. Affected deployments require immediate patching to version 2.1.3 or later to prevent unauthorized administrative access.

Docker Wireguard Wireguard Portal Suse
CVE-2026-27888 HIGH CVSS 7.5
Denial of service in pypdf prior to version 6.7.3 allows remote attackers to exhaust system memory by crafting malicious PDF files that exploit FlateDecode-compressed streams accessed through the xfa property. The vulnerability requires no authentication or user interaction and affects any application processing untrusted PDF documents with the vulnerable library. Upgrade to pypdf 6.7.3 or later to remediate.

Python Pypdf Redhat Suse
CVE-2026-27831 HIGH CVSS 7.5
Heap buffer over-read vulnerability in rldns DNS server version 1.3 allows remote attackers to trigger denial of service without authentication or user interaction. The flaw enables reading beyond allocated memory boundaries, causing the service to crash. Version 1.4 addresses this issue, though no patch is currently available for affected 1.3 deployments.

Dns Heap Overflow Denial Of Service
CVE-2026-27821 HIGH CVSS 7.8
Stack buffer overflow in GPAC's NHML file parser (versions up to 26.02.0) allows local attackers to achieve code execution by crafting malicious XML files with oversized xmlHeaderEnd attributes that bypass length validation. The vulnerability stems from unsafe use of strcpy() in src/filters/dmx_nhml.c and affects systems processing untrusted NHML files. Public exploit code exists for this vulnerability, though a patch is available.

Buffer Overflow Gpac
CVE-2026-27818 HIGH CVSS 7.5
Improper input validation in TerriaJS-Server versions before 4.0.3 allows unauthenticated remote attackers to bypass domain allowlist restrictions and proxy requests to arbitrary domains. This vulnerability affects Node.js deployments of TerriaJS and could enable attackers to access restricted resources or perform server-side request forgery attacks. A patch is available in version 4.0.3 and later.

Node.js Terriajs Server
CVE-2026-27800 HIGH CVSS 7.4
Zed code editor versions prior to 0.224.4 contain a path traversal vulnerability in ZIP extraction that fails to sanitize malicious filenames, allowing attackers to write files outside the intended sandbox directory through crafted extension archives. Public exploit code exists for this vulnerability. An attacker can exploit this by distributing a malicious extension that, when installed, deposits files in arbitrary locations on the affected system.

Path Traversal Zed
CVE-2026-27638 HIGH CVSS 7.1
Actual personal finance application prior to version 26.2.1 fails to enforce access controls on multi-user sync API endpoints, allowing any authenticated user to read, modify, or overwrite other users' budget files. Public exploit code exists for this vulnerability. Update to version 26.2.1 or later to remediate.

Authentication Bypass Actual
CVE-2026-27635 HIGH CVSS 7.5
Remote code execution in Manyfold prior to version 0.133.0 allows authenticated users to execute arbitrary commands by uploading a ZIP archive with specially crafted filenames containing shell metacharacters that are passed unsanitized to Ruby backtick execution. The vulnerability affects the model render generation feature and requires an attacker to be logged in, with public exploit code currently available. A patch is available in version 0.133.0 and later.

Ruby RCE Manyfold
CVE-2026-27633 HIGH CVSS 7.5
TinyWeb versions prior to 2.02 are vulnerable to denial of service through memory exhaustion when unauthenticated attackers send HTTP POST requests with extremely large Content-Length headers, causing the server to allocate unbounded memory and crash. The vulnerability affects all organizations running vulnerable TinyWeb instances, and patch version 2.02 addresses it by implementing a 10MB maximum entity body size limit.

Nginx Denial Of Service Tinyweb
CVE-2026-27630 HIGH CVSS 7.5
TinyWeb versions prior to 2.02 lack connection limits and request timeouts, enabling unauthenticated remote attackers to trigger denial of service through Slowloris attacks by maintaining numerous concurrent connections and transmitting data at minimal rates. The vulnerability affects all systems running vulnerable TinyWeb instances, with attackers capable of exhausting server resources and rendering services unavailable. A patch is available that implements connection limits and idle timeouts to mitigate the attack vector.

Nginx Denial Of Service Tinyweb
CVE-2026-27509 HIGH CVSS 8.0
Unitree Go2 robots running firmware versions V1.1.7-V1.1.9 and V1.1.11 (EDU) lack authentication controls on the DDS actuator API, allowing network-adjacent attackers to inject and execute arbitrary Python code as root by publishing a crafted message. Public exploit code exists for this vulnerability, which enables persistent code execution through controller keybindings that survive reboots. No patch is currently available.

Python Go2 Firmware Go2 Edu Firmware
CVE-2026-27449 HIGH CVSS 7.5
Umbraco Engage versions prior to 16.2.1 and 17.1.1 expose unauthenticated API endpoints that lack access control, allowing remote attackers to retrieve sensitive data by directly querying endpoints with arbitrary identifier parameters. An attacker can enumerate records at scale without authentication or valid session credentials, potentially exposing confidential business intelligence information. No patch is currently available for affected installations.

Industrial
CVE-2026-27141 HIGH CVSS 7.5
Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic [CVSS 7.5 HIGH]

Denial Of Service Redhat Suse
CVE-2026-26938 HIGH CVSS 8.6
Kibana versions up to 9.3.0 contains a vulnerability that allows attackers to read arbitrary files from the Kibana server filesystem, and perform Server-Side (CVSS 8.6).

SSRF Code Injection Kibana
CVE-2026-26682 HIGH CVSS 7.8
Fastcms versions prior to 0.1.6 contain a code injection vulnerability in the PluginController component that allows local attackers with user-level privileges to execute arbitrary code with full system compromise. Public exploit code exists for this vulnerability, and no patch is currently available. Java environments running affected Fastcms instances are at risk of privilege escalation and complete system takeover.

Java Fastcms
CVE-2026-26265 HIGH CVSS 7.5
Discourse versions prior to 2025.12.2, 2026.1.1, and 2026.2.0 contain an insecure direct object reference (IDOR) in the directory items endpoint that allows unauthenticated attackers to retrieve private user field values for all directory users. The vulnerability stems from missing authorization checks on the user_field_ids parameter, enabling bulk exfiltration of sensitive user data that should be restricted by visibility settings. No patch is currently available for affected deployments.

Authentication Bypass Information Disclosure Discourse
CVE-2026-26186 HIGH CVSS 8.8
SQL injection in Fleet device management software before version 4.80.1 allows authenticated users to manipulate the order_key parameter and inject arbitrary SQL commands through improper identifier handling in ORDER BY clauses. An attacker with valid credentials can exploit this vulnerability to perform blind SQL injection attacks, potentially extracting sensitive database information or causing denial of service through resource exhaustion. No patch is currently available for this high-severity vulnerability affecting MySQL implementations.

MySQL SQLi Denial Of Service Fleet Suse
CVE-2026-26078 HIGH CVSS 7.5
Discourse instances with an unconfigured patreon_webhook_secret allow remote attackers to forge valid webhook signatures using an empty HMAC-MD5 key, enabling arbitrary creation, modification, or deletion of Patreon pledge data and unauthorized patron synchronization. The vulnerability affects Discourse versions prior to 2025.12.2, 2026.1.1, and 2026.2.0, and currently lacks an available patch. Administrators must explicitly configure the patreon_webhook_secret setting or upgrade to patched versions to mitigate this integrity attack.

Authentication Bypass Discourse
CVE-2026-25741 HIGH CVSS 7.1
Zulip's payment method update API endpoint in the upgrade flow lacks proper authorization checks, allowing any organization member to modify the default payment method by completing a Stripe Checkout session. This vulnerability affected Zulip Cloud users and has been patched; self-hosted deployments are not impacted and require no action.

Authentication Bypass
CVE-2026-25191 HIGH CVSS 7.8
Arbitrary code execution in FinalCode Client installer (Digital Arts Inc.) results from unsafe DLL loading that allows an attacker to place a malicious library in the same directory as the installer and execute it with elevated privileges when a user runs the installation. This local attack requires user interaction to place the malicious file and execute the installer, but poses significant risk as there is currently no available patch.

Privilege Escalation RCE
CVE-2026-23750 HIGH CVSS 8.1
Golioth Pouch versions prior to commit 1b2219a1 suffer from a heap buffer overflow in BLE GATT server certificate handling that fails to validate fragment sizes during assembly, allowing unauthenticated adjacent attackers to trigger memory corruption and denial of service. An attacker can send maliciously sized certificate fragments that exceed the allocated buffer capacity, causing heap overflow conditions that crash the application and potentially corrupt adjacent memory structures. No patch is currently available for this vulnerability.

Buffer Overflow Heap Overflow Memory Corruption Denial Of Service
CVE-2026-23703 HIGH CVSS 7.8
FinalCode Client installer by Digital Arts Inc. improperly configures file permissions, enabling local non-administrative users to execute arbitrary code with SYSTEM-level privileges. This privilege escalation affects all users of the affected installer versions and allows attackers to achieve complete system compromise. No patch is currently available for this vulnerability.

Privilege Escalation RCE
CVE-2026-22206 HIGH CVSS 8.8
SQL injection in SPIP prior to 4.4.10 enables authenticated users with low privileges to execute arbitrary SQL commands and achieve remote code execution through union-based injection combined with PHP tag processing. The vulnerability affects SPIP and PHP environments, requiring only network access and valid credentials to exploit. No patch is currently available, presenting significant risk to production SPIP installations.

PHP RCE SQLi Spip
CVE-2026-22205 HIGH CVSS 7.5
Spip versions up to 4.4.10 contains a vulnerability that allows attackers to access protected information (CVSS 7.5).

PHP Authentication Bypass Spip
CVE-2026-3261 HIGH CVSS 7.3
SQL injection in itsourcecode School Management System 1.0 via the ID parameter in /settings/index.php allows unauthenticated remote attackers to manipulate database queries and potentially read or modify sensitive data. Public exploit code exists for this vulnerability, and no patch is currently available. Organizations running affected versions should implement access controls or upgrade immediately to mitigate the risk.

PHP SQLi School Management System
CVE-2026-3071 HIGH CVSS 8.4
Arbitrary code execution in Flair's LanguageModel class (versions 0.4.1 and later) allows local attackers to execute arbitrary commands by crafting malicious ML model files that exploit unsafe deserialization. Affected users loading untrusted models from external sources face complete system compromise with no patch currently available. This vulnerability impacts all AI/ML applications using Flair's model loading functionality.

Deserialization AI / ML
CVE-2026-1779 HIGH CVSS 8.1
Unauthenticated attackers can bypass authentication in the WordPress User Registration & Membership plugin (versions up to 5.1.2) due to flawed logic in the user registration function, allowing them to gain unauthorized access to newly created accounts. The vulnerability requires specific conditions but poses a high risk due to the network-accessible nature of the attack and the lack of authentication requirements. No patch is currently available for affected installations.

WordPress Authentication Bypass
CVE-2026-1693 HIGH CVSS 7.5
PcVue versions 12.0.0 through 16.3.3 use the deprecated OAuth Resource Owner Password Credentials flow in their web services, enabling remote attackers to steal user credentials without authentication or user interaction. The vulnerability affects WebVue, WebScheduler, TouchVue, and Snapvue components and carries a high severity rating with no patch currently available.

Information Disclosure Pcvue
CVE-2026-1565 HIGH CVSS 8.8
Arbitrary file upload in User Frontend plugin for WordPress (versions up to 4.2.8) allows authenticated users with Author-level privileges to bypass file type validation and upload malicious files to the server. This can lead to remote code execution if an attacker uploads executable files to web-accessible directories. The vulnerability remains unpatched and affects all versions through 4.2.8.

WordPress RCE
CVE-2026-1557 HIGH CVSS 7.5
Unauthenticated attackers can exploit a path traversal vulnerability in WP Responsive Images plugin for WordPress (all versions up to 1.0) through the 'src' parameter to read arbitrary files from the server. This allows unauthorized access to sensitive information stored on affected WordPress installations. No patch is currently available.

WordPress Path Traversal
CVE-2026-1311 HIGH CVSS 8.8
Remote code execution in WordPress Worry Proof Backup plugin through path traversal in the backup upload feature allows authenticated users with Subscriber privileges or higher to write arbitrary files, including PHP executables, to the server by uploading specially crafted ZIP archives. The vulnerability affects all versions up to 0.2.4 and currently has no available patch, enabling attackers to achieve full server compromise.

WordPress PHP RCE Path Traversal
CVE-2025-71057 HIGH CVSS 8.2
Improper session management in D-Link Wireless N 300 ADSL2+ Modem Router DSL-124 ME_1.00 allows attackers to execute a session hijacking attack via spoofing the IP address of an authenticated user. [CVSS 8.2 HIGH]

D-Link
CVE-2025-14343 HIGH CVSS 7.6
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Dokuzsoft Technology Ltd. E-Commerce Product allows Reflected XSS.This issue affects E-Commerce Product: through 10122025. [CVSS 7.6 HIGH]

XSS
CVE-2026-28296 MEDIUM CVSS 4.3
FTP command injection in GVfs backend allows remote attackers to execute arbitrary FTP commands by embedding CRLF sequences in crafted file paths, potentially leading to unauthorized access or code execution. The vulnerability requires user interaction and affects systems utilizing the FTP GVfs backend for file operations. A patch is available to remediate this input validation weakness.

RCE Redhat Suse
CVE-2026-28295 MEDIUM CVSS 4.3
GVfs FTP backend clients blindly trust server-provided IP addresses and ports during passive mode connections, enabling malicious FTP servers to conduct network reconnaissance and probe for open ports from the client's network perspective. The vulnerability requires user interaction but poses a confidentiality risk to network topology information. A patch is available to address this trust validation issue.

SSRF Redhat Suse
CVE-2026-28280 MEDIUM CVSS 6.1
Stored XSS in osctrl-admin prior to version 0.5.0 allows low-privileged users with query permissions to inject malicious JavaScript into the on-demand query list, affecting all users who view the page. An attacker can exploit this vulnerability to steal CSRF tokens and impersonate other users, potentially compromising the entire platform if an administrator is compromised. A patch is available in version 0.5.0.

XSS CSRF Osctrl Suse
CVE-2026-28269 MEDIUM CVSS 5.9
Kiteworks versions prior to 9.2.0 suffer from a command injection vulnerability that permits authenticated users to redirect command output to arbitrary file locations, potentially enabling overwriting of critical system files and privilege escalation. The vulnerability requires high privileges and manual user interaction to exploit, resulting in a medium severity rating with limited real-world exploitation likelihood (EPSS 0.1%). No patch is currently available for affected installations.

Command Injection Kiteworks
CVE-2026-28230 MEDIUM CVSS 6.3
SteVe is an open-source EV charging station management system. [CVSS 6.3 MEDIUM]

Authentication Bypass Steve
CVE-2026-28226 MEDIUM CVSS 6.5
SQL injection in Phishing Club's GetOrphaned recipient endpoint allows authenticated attackers to manipulate ORDER BY clauses by injecting malicious SQL expressions through an unvalidated sortBy parameter. Public exploit code exists for this vulnerability, affecting versions prior to 1.30.2, where attackers can extract sensitive data despite the lack of direct integrity or availability impact. The vulnerability has been patched in v1.30.2 through implementation of column allowlist validation.

SQLi Phishing Club
CVE-2026-28225 MEDIUM CVSS 5.3
Manyfold versions up to 0.133.1 is affected by authorization bypass through user-controlled key (CVSS 5.3).

Authentication Bypass Manyfold
CVE-2026-28219 MEDIUM CVSS 4.3
Discourse versions prior to 2025.12.2, 2026.1.1, and 2026.2.0 contain an authorization bypass that allows authenticated users to escalate ordinary topics to site-wide notices or banners by manipulating request parameters, circumventing administrative controls. This vulnerability affects any Discourse instance where regular users should not have the ability to create global announcements. No patch is currently available, and administrators should review recent banner and notice changes for unauthorized modifications until updating.

Code Injection Discourse
CVE-2026-28218 MEDIUM CVSS 5.4
The Data Explorer plugin in Discourse prior to versions 2025.12.2, 2026.1.1, and 2026.2.0 fails to properly enforce access controls, allowing any authenticated user to execute arbitrary SQL queries against unprotected queries, including system-level queries. This affects all installations with the Data Explorer plugin enabled and permits authenticated attackers to access or modify sensitive data without proper authorization. No patch is currently available, though administrators can mitigate the issue by explicitly setting group permissions on queries or disabling the plugin.

Authentication Bypass Discourse
CVE-2026-28217 MEDIUM CVSS 6.5
hoppscotch is an open source API development ecosystem. [CVSS 6.5 MEDIUM]

Authentication Bypass Hoppscotch
CVE-2026-28208 MEDIUM CVSS 5.9
Junrar versions prior to 7.5.8 contain a path traversal vulnerability in LocalFolderExtractor that allows attackers to write arbitrary files to the filesystem when processing malicious RAR archives on Linux/Unix systems. Public exploit code exists for this vulnerability, which can facilitate remote code execution through file overwrite attacks such as modifying shell profiles or cron jobs. Users should upgrade to version 7.5.8 or later to remediate this issue.

Linux Java RCE Path Traversal Junrar
CVE-2026-28207 MEDIUM CVSS 6.6
Zen C is a systems programming language that compiles to human-readable GNU C/C11. [CVSS 6.6 MEDIUM]

Command Injection Zen C
CVE-2026-28132 MEDIUM CVSS 5.3
The WooCommerce Photo Reviews plugin for WordPress versions up to 1.4.4 fails to properly sanitize user input in HTML contexts, enabling attackers to inject malicious scripts that execute in victims' browsers. This stored cross-site scripting vulnerability allows unauthenticated attackers to deface content or steal sensitive information from site visitors. No patch is currently available for this vulnerability.

WordPress Code Injection
CVE-2026-28131 MEDIUM CVSS 6.5
WPVibes Elementor Addon Elements addon-elements-for-elementor-page-builder contains a security vulnerability (CVSS 6.5).

Information Disclosure
CVE-2026-28083 MEDIUM CVSS 6.5
Stored cross-site scripting in UX-themes Flatsome version 3.20.1 and earlier enables authenticated attackers to inject malicious scripts that execute in other users' browsers, potentially compromising session data or performing unauthorized actions. The vulnerability requires user interaction to trigger the stored payload, and no patch is currently available.

XSS
CVE-2026-27974 MEDIUM CVSS 4.8
Audiobookshelf Mobile App versions up to 0.12.0 is affected by cross-site scripting (xss) (CVSS 4.8).

XSS Audiobookshelf Mobile App
CVE-2026-27973 MEDIUM CVSS 4.0
Stored XSS in Audiobookshelf Mobile App prior to version 0.12.0-beta allows authenticated users with library modification privileges to inject malicious JavaScript through metadata, enabling arbitrary code execution within victim users' browsers and WebViews. Successful exploitation could lead to session hijacking, data theft, and unauthorized access to native device APIs. A patch is available in version 0.12.0-beta and later.

XSS Audiobookshelf Mobile App Audiobookshelf
CVE-2026-27970 MEDIUM CVSS 6.1
Angular versions before 21.2.0, 21.1.16, 20.3.17, and 19.2.19 contain a cross-site scripting vulnerability in the i18n pipeline where translated ICU messages fail to properly sanitize HTML content, allowing attackers to inject and execute arbitrary JavaScript. Applications using Angular's internationalization features with externally translated content are at risk, particularly when translations are provided by third parties. A patch is available for affected versions.

Angular XSS Redhat
CVE-2026-27968 MEDIUM CVSS 4.3
Packistry versions prior to 0.13.0 fail to validate token expiration in the RepositoryAwareController::authorize() function, allowing attackers with expired deploy tokens to maintain unauthorized access to repository endpoints and package metadata. An authenticated attacker can leverage an expired token with valid abilities to interact with Composer APIs and potentially download or access sensitive package information. This vulnerability affects self-hosted Packistry deployments and has been patched in version 0.13.0.

PHP Packistry
CVE-2026-27963 MEDIUM CVSS 4.8
Stored XSS in Audiobookshelf prior to version 2.32.0 enables privileged users to inject malicious code into library metadata that executes in other users' browsers, potentially compromising sessions and enabling data theft. Public exploit code exists for this vulnerability. A patch is available in version 2.32.0 and later.

XSS Audiobookshelf
CVE-2026-27954 MEDIUM CVSS 6.5
Live Helper Chat is an open-source application that enables live support websites. [CVSS 6.5 MEDIUM]

PHP Privilege Escalation Live Helper Chat
CVE-2026-27948 MEDIUM CVSS 5.4
Reflected XSS in Copyparty before version 1.20.9 allows unauthenticated attackers to inject malicious scripts through the setck URL parameter, potentially enabling session hijacking or credential theft from affected users. The vulnerability requires user interaction to click a crafted link but can be exploited remotely without authentication. A patch is available in version 1.20.9 and later.

XSS Copyparty
CVE-2026-27946 MEDIUM CVSS 6.5
Zitadel versions prior to 4.11.1 and 3.4.7 permit authenticated users to bypass email and phone verification procedures through the self-management feature, allowing them to mark contact information as verified without completing actual validation. This integrity bypass enables account compromise scenarios where attackers with valid credentials can impersonate other users or escalate privileges by falsifying verified contact details. No patch is currently available for affected deployments, though implementing action rules (v2) can mitigate the risk.

Authentication Bypass Zitadel Suse
CVE-2026-27945 MEDIUM CVSS 6.5
Server-Side Request Forgery in Zitadel's Action V2 webhook feature allows unauthenticated attackers to probe internal network services and gather information about internal infrastructure by crafting malicious webhook target URLs pointing to localhost or private IP addresses. The vulnerability affects Zitadel versions 4.0.0 through 4.11.0, with schema validation providing limited mitigation. No patch is currently available.

SSRF Zitadel Suse
CVE-2026-27943 MEDIUM CVSS 6.5
Authenticated users in OpenEMR through version 8.0.0 can access and modify eye exam records belonging to other patients by manipulating form IDs, bypassing patient context validation. This allows disclosure or alteration of sensitive medical data across the patient database, and public exploit code exists for this vulnerability. A patch is available on the main branch of the OpenEMR repository.

Github Openemr
CVE-2026-27933 MEDIUM CVSS 6.8
Session hijacking in Manyfold prior to version 0.133.0 allows unauthenticated attackers to steal user session cookies through proxy cache leakage, potentially gaining unauthorized access to self-hosted 3D model collections. Public exploit code exists for this vulnerability, and no patch is currently available for affected versions. This attack requires user interaction and can result in complete account compromise without data modification capabilities.

Information Disclosure Manyfold
CVE-2026-27902 MEDIUM CVSS 5.4
Improper output encoding in Svelte versions prior to 5.53.5 allows attackers to inject malicious HTML and execute arbitrary JavaScript in user browsers through unescaped error messages returned by the transformError function. An attacker who can control error content can exploit this XSS vulnerability to compromise application security and user data. A patch is available in version 5.53.5 and later.

XSS Svelte Redhat
CVE-2026-27901 MEDIUM CVSS 6.1
Svelte versions prior to 5.53.5 fail to properly escape text bindings on contenteditable elements, allowing attackers to inject malicious HTML and execute arbitrary scripts when the application renders untrusted data as initial binding values during server-side rendering. This affects applications that use `bind:innerText` or `bind:textContent` with user-controlled input. A patch is available in version 5.53.5.

XSS Svelte Redhat
CVE-2026-27900 MEDIUM CVSS 5.0
The Terraform Provider for Linode prior to version 3.9.0 exposes sensitive credentials including passwords and API tokens in debug logs when debug logging is explicitly enabled. Authenticated attackers with access to these logs through CI/CD pipelines, log aggregation systems, or shared debug output can extract exposed secrets. This vulnerability requires an authenticated user and debug logging activation, making it exploitable primarily in environments where logging is intentionally enabled for troubleshooting.

Information Disclosure Linode Provider Suse
CVE-2026-27884 MEDIUM CVSS 5.3
NetExec's spider_plus module prior to version 1.5.1 fails to sanitize path traversal characters in SMB share filenames, allowing remote attackers to write or overwrite arbitrary files on Linux systems when the DOWNLOAD feature is enabled. The vulnerability requires user interaction to trigger the malicious SMB share crawl and currently has no available patch. Organizations using NetExec should disable the DOWNLOAD=true option as a temporary mitigation.

Linux Path Traversal
CVE-2026-27840 MEDIUM CVSS 4.3
Zitadel versions 2.31.0 through 3.4.6 and 4.10.x accept truncated opaque OIDC access tokens as valid when shortened to 80 characters, allowing attackers to bypass token validation and gain unauthorized access to protected resources. This affects deployments using the v2 token format where the symmetric encryption scheme fails to properly validate token length, enabling token forgery or reuse attacks.

Information Disclosure Zitadel Suse
CVE-2026-27839 MEDIUM CVSS 4.3
Wger versions up to 2.4 allow authenticated users to access other users' private nutrition plans through insecure direct object references in the nutritional_values endpoints, exposing sensitive dietary data including caloric intake and macronutrient breakdowns. The vulnerability stems from bypassing user-scoped querysets via direct primary key lookups, and public exploit code is available.

Authentication Bypass Wger
CVE-2026-27837 MEDIUM CVSS 6.3
Dottie versions 2.0.4 through 2.0.6 suffer from an incomplete prototype pollution fix that allows attackers to bypass validation by placing `__proto__` in non-first positions within dot-separated paths, affecting both `dottie.set()` and `dottie.transform()` functions. An attacker can exploit this to pollute object prototypes and achieve limited confidentiality, integrity, and availability impacts. Public exploit code exists and a patch is available in version 2.0.7.

Code Injection Dottie Redhat
CVE-2026-27835 MEDIUM CVSS 4.3
Wger versions up to 2.4 expose all users' repetition configuration data to any authenticated attacker due to missing authorization checks in the RepetitionsConfigViewSet and MaxRepetitionsConfigViewSet endpoints. A registered user can enumerate the complete workout structures of all other users on the platform. Public exploit code exists for this vulnerability, and a patch is available.

Authentication Bypass Wger
CVE-2026-27829 MEDIUM CVSS 6.5
Astro web framework versions 9.0.0 through 9.5.3 fail to validate remote image domains when the inferSize option is enabled, allowing attackers to trigger server-side requests to arbitrary hosts and bypass configured image.domains and image.remotePatterns restrictions. An attacker controlling image URLs through CMS content or user input can exploit this to perform SSRF attacks or access unauthorized resources. Public exploit code exists for this vulnerability.

SSRF
CVE-2026-27808 MEDIUM CVSS 5.8
Mailpit versions prior to 1.29.2 contain a Server-Side Request Forgery vulnerability in the Link Check API that allows unauthenticated remote attackers to perform HTTP requests to arbitrary hosts, including internal and private IP addresses. The API fails to validate or filter target URLs and returns status codes for each link, enabling non-blind SSRF attacks. Public exploit code exists for this vulnerability, affecting deployments with default configuration.

SSRF Mailpit Suse
CVE-2026-27799 MEDIUM CVSS 4.0
Heap buffer over-read in ImageMagick and Magick.NET's DJVU image handler allows local attackers to read out-of-bounds memory through integer truncation in stride calculations. An attacker can trigger this vulnerability by supplying a malicious DJVU file, potentially leading to information disclosure or application crashes. Updates are available for ImageMagick versions 7.1.2-15, 6.9.13-40 and later.

Buffer Overflow Imagemagick Magick.Net Redhat Suse
CVE-2026-27798 MEDIUM CVSS 4.0
Magick.NET and ImageMagick versions before 7.1.2-15 and 6.9.13-40 are vulnerable to heap buffer over-read when processing low-resolution images with the wavelet-denoise filter, allowing local attackers to read sensitive memory. This out-of-bounds read could expose confidential information from adjacent heap memory with no possibility of code execution or denial of service. A patch is available for affected users.

Buffer Overflow Magick.Net Imagemagick Redhat Suse
CVE-2026-27711 MEDIUM CVSS 6.6
NanaZip versions 5.0.1252.0 through 6.5.1637.0 contain an out-of-bounds memory access flaw in the UFS file parser that can be triggered by opening a malicious .ufs/.ufs2/.img archive file, potentially causing process crashes, hangs, or exploitable heap corruption. Local attackers can exploit this vulnerability through normal file-open operations without elevated privileges, and public exploit code is available. No patch is currently available for affected versions.

Memory Corruption Denial Of Service Nanazip
CVE-2026-27710 MEDIUM CVSS 5.0
NanaZip versions 5.0.1252.0 through 6.5.1637.x contain an integer underflow in the .NET Single File Application parser that allows local attackers with user privileges to cause denial of service through unbounded memory allocation when opening a specially crafted archive file. Public exploit code exists for this vulnerability. Patches are available in versions 6.0.1638.0 and 6.5.1638.0.

Dotnet Integer Overflow Nanazip
CVE-2026-27709 MEDIUM CVSS 6.6
Out-of-bounds memory read in NanaZip versions 5.0.1252.0 through 6.0.1637.x allows local authenticated attackers to disclose in-process memory or trigger application crashes by crafting malicious .NET Single File Application bundles with malformed manifest headers. Public exploit code exists for this vulnerability, and patches are available in versions 6.0.1638.0 and 6.5.1638.0. The issue affects Dotnet and Nanazip products where a malicious user interaction with crafted archive files can bypass bounds checking during manifest parsing.

Dotnet Denial Of Service Nanazip
CVE-2026-27465 MEDIUM CVSS 6.5
Fleet versions up to 4.80.1 contains a vulnerability that allows attackers to unauthorized access to Google Calendar resources associated with the service acc (CVSS 6.5).

Privilege Escalation Fleet Suse
CVE-2026-27457 MEDIUM CVSS 4.3
Weblate versions prior to 5.16.1 fail to properly restrict API access to addon data, allowing authenticated users to enumerate and access all addons across every project and component in the system. An attacker with valid credentials can query the REST API endpoints to retrieve sensitive addon information that should be scoped to their assigned permissions. This information disclosure vulnerability is fixed in version 5.16.1.

Information Disclosure Weblate Suse
CVE-2026-27162 MEDIUM CVSS 4.9
Discourse's posts_nearby function fails to properly filter whispered posts based on user permissions, allowing authenticated users with high privileges to view confidential whispers intended only for specific recipients. The vulnerability stems from inadequate post-type filtering that bypasses guardian-based access controls. No patch is currently available for affected versions prior to 2025.12.2, 2026.1.1, and 2026.2.0.

Information Disclosure Discourse
CVE-2026-27154 MEDIUM CVSS 6.1
Stored cross-site scripting in Discourse allows attackers to inject malicious HTML through user full names when specific display settings are enabled, which executes in the browsers of users viewing or editing affected posts. The vulnerability requires the `display_name_on_posts` setting to be true and `prioritize_username_in_ux` to be false, potentially affecting installations with these configurations. No patch is currently available, and users should disable the vulnerable display settings or upgrade to patched versions 2025.12.2, 2026.1.1, or 2026.2.0.

XSS Discourse
CVE-2026-27149 MEDIUM CVSS 6.5
SQL injection in Discourse's private message tag filtering allows authenticated users to bypass tag restrictions and read unauthorized private message metadata. Affected versions prior to 2025.12.2, 2026.1.1, and 2026.2.0 expose sensitive conversation information to users who should not have access. No patch workaround exists for unpatched installations.

SQLi Discourse
CVE-2026-27021 MEDIUM CVSS 5.3
The Discourse poll plugin voters endpoint fails to validate post visibility permissions, enabling unauthenticated attackers to enumerate poll voter details across any post in affected instances. This information disclosure affects Discourse versions prior to 2025.12.2, 2026.1.1, and 2026.2.0, with no workaround available until patching. No patch is currently available for earlier versions.

Authentication Bypass Discourse
CVE-2026-26973 MEDIUM CVSS 4.3
Insecure Direct Object References in Discourse ReviewableNotesController allow category moderation group members to create or delete notes on any reviewable in the system regardless of moderation scope when category group moderation is enabled. This authorization bypass affects Discourse versions prior to 2025.12.2, 2026.1.1, and 2026.2.0, enabling users to manipulate moderation records outside their assigned categories. No patch is currently available.

Authentication Bypass Discourse
CVE-2026-26937 MEDIUM CVSS 6.5
Kibana's Timelion component is vulnerable to denial of service through uncontrolled resource consumption when processing malicious input data, affecting authenticated users with network access to the application. An attacker with valid credentials can manipulate input to exhaust system resources and render the service unavailable. No patch is currently available for this vulnerability.

Denial Of Service Kibana
CVE-2026-26936 MEDIUM CVSS 4.9
Kibana's AI Inference Anonymization Engine contains a ReDoS (Regular Expression Denial of Service) vulnerability that allows authenticated high-privilege users to crash the service through maliciously crafted input. An attacker with administrative credentials can trigger exponential regex backtracking to render the system unavailable, though no patch is currently available.

Denial Of Service AI / ML Kibana
CVE-2026-26935 MEDIUM CVSS 6.5
Kibana's Content Connectors search endpoint fails to properly validate user input, allowing authenticated attackers to trigger a denial of service condition through crafted request data. This medium-severity vulnerability affects systems where users have login credentials and can be exploited without user interaction.

Denial Of Service Kibana
CVE-2026-26934 MEDIUM CVSS 6.5
Kibana contains a vulnerability that allows attackers to an authenticated attacker with view-only privileges to cause a Denial of Service (CVSS 6.5).

Denial Of Service Kibana
CVE-2026-26932 MEDIUM CVSS 5.7
Packetbeat's PostgreSQL protocol parser improperly validates array indices, allowing authenticated attackers on the same network to crash the monitoring service by sending malicious packets. An attacker exploiting this denial-of-service vulnerability can terminate the Packetbeat process, disrupting monitoring capabilities on systems with PostgreSQL protocol monitoring enabled. No patch is currently available.

Golang PostgreSQL Denial Of Service Packetbeat
CVE-2026-26228 MEDIUM CVSS 4.9
Authenticated attackers can read arbitrary files from a VLC for Android device running versions before 3.7.0 by exploiting a path traversal flaw in the Remote Access Server's download endpoint. The vulnerability allows directory traversal through an unsanitized file parameter, though impact is limited to files accessible within the Android app's sandbox and storage permissions. No patch is currently available for this medium-severity vulnerability.

Android Path Traversal
CVE-2026-26207 MEDIUM CVSS 5.4
The discourse-policy plugin in Discourse prior to versions 2025.12.2, 2026.1.1, and 2026.2.0 fails to verify user permissions when processing policy actions, allowing authenticated users to accept or reject policies on posts they cannot access in private categories or private messages. Attackers can exploit this authorization bypass to manipulate policies on restricted content and enumerate post IDs with policies through error message differences. The vulnerability requires authentication but affects the confidentiality and integrity of policy-protected discussions.

Information Disclosure Discourse
CVE-2026-26077 MEDIUM CVSS 6.5
Unauthenticated attackers can submit forged webhook payloads to multiple email provider integrations in Discourse versions prior to 2025.12.2, 2026.1.1, and 2026.2.0 when authentication tokens are not configured, allowing them to artificially inflate user bounce scores and disable legitimate user accounts. The vulnerability affects webhook endpoints for SendGrid, Mailjet, Mandrill, Postmark, and SparkPost, with Mailpace having no token validation whatsoever. Administrators should immediately configure webhook authentication tokens for all email provider integrations as a workaround until patching is available.

Authentication Bypass Discourse
CVE-2026-25963 MEDIUM CVSS 6.5
Fleet device management software versions before 4.80.1 contain an authorization bypass in the certificate template deletion API that allows team administrators to delete certificate templates belonging to other teams. The vulnerability stems from insufficient validation of template ownership during batch deletion operations, enabling cross-team resource destruction that could disrupt certificate-dependent functions like device enrollment and VPN access. A patch is not yet available as of this CVE publication.

Privilege Escalation Fleet Suse
CVE-2026-24004 MEDIUM CVSS 5.3
Fleet's Android MDM Pub/Sub endpoint fails to authenticate requests prior to version 4.80.1, allowing unauthenticated attackers to remotely trigger device unenrollment and remove Android devices from management. The vulnerability has limited impact, affecting only device management continuity without providing access to Fleet itself or device data. Organizations running vulnerable versions should upgrade immediately or disable Android MDM until patching is possible.

Android Fleet Suse
CVE-2026-23999 MEDIUM CVSS 5.5
Fleet's device lock and wipe PIN generation relies on predictable timestamps without additional entropy, allowing attackers with physical access to a locked device and knowledge of the approximate lock time to brute-force the 6-digit PIN within a limited search window. This vulnerability affects Fleet versions prior to 4.80.1 and requires local access and timing knowledge to exploit. No patch is currently available.

Authentication Bypass Fleet Suse
CVE-2026-23939 MEDIUM CVSS 6.9
Path traversal in hexpm's Local Storage backend allows unauthenticated attackers to read sensitive files through relative path manipulation in the file storage routines. Only self-hosted hexpm deployments using Local Storage are affected; the managed hex.pm service is not vulnerable. An attacker can access arbitrary files accessible to the hexpm process without authentication or user interaction.

Path Traversal
CVE-2026-22728 MEDIUM CVSS 4.9
Bitnami Sealed Secrets improperly validates user-supplied annotations during secret rotation, allowing authenticated attackers to escalate secret scope from namespace-wide or strict constraints to cluster-wide. An attacker can inject a malicious annotation into the rotation request to obtain a rotated secret accessible across any namespace, potentially enabling lateral movement and unauthorized access to sensitive credentials throughout the cluster.

Authentication Bypass Suse
CVE-2026-22722 MEDIUM CVSS 6.1
Null pointer dereference in Windows allows authenticated local users to cause a denial of service condition with potential system instability. An attacker with valid user credentials can trigger this memory safety issue to crash affected processes or degrade system availability. No patch is currently available for this vulnerability.

Windows Null Pointer Dereference
CVE-2026-22715 MEDIUM CVSS 5.9
VMWare Workstation and Fusion contain a logic flaw in the management of network packets. Known attack vectors: A malicious actor with administrative privileges on a Guest VM may be able to interrupt or intercept network connections of other Guest VM's. [CVSS 5.9 MEDIUM]

VMware
CVE-2026-3268 MEDIUM CVSS 5.4
Improper access controls in PSI Probe up to version 5.3.0 allow authenticated remote attackers to manipulate session attributes through the RemoveSessAttributeController, enabling unauthorized modifications to application state. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early notification.

Java Psi Probe
CVE-2026-3265 MEDIUM CVSS 6.3
Improper authorization in Free CRM's Security API endpoint allows authenticated remote attackers to bypass access controls and gain unauthorized access to sensitive data or functionality. The vulnerability affects an unknown component within /api/Security/ and has public exploit code available, though no patch is currently available from the vendor. Free CRM's rolling release model prevents specific version tracking, and the vendor has not responded to disclosure attempts.

Information Disclosure Free Crm
CVE-2026-3264 MEDIUM CVSS 6.3
Unauthenticated attackers can manipulate the Administrative Interface in Free CRM to achieve code execution following a redirect attack. The vulnerability affects Free CRM up to commit b83c40a and requires only network access and low privileges, with public exploit code already available. No patch is currently available, and the vendor has not responded to disclosure attempts.

Information Disclosure Free Crm
CVE-2026-3263 MEDIUM CVSS 6.3
Asp.Net-Core-Inventory-Order-Management-System versions up to 9.20250118. contains a security vulnerability (CVSS 6.3).

Dotnet Asp.Net Core Inventory Order Management System
CVE-2026-3262 MEDIUM CVSS 6.3
Asp.Net-Core-Inventory-Order-Management-System versions up to 9.20250118. contains a security vulnerability (CVSS 6.3).

Dotnet Asp.Net Core Inventory Order Management System
CVE-2026-2680 MEDIUM CVSS 6.1
A3factura's sales delivery notes endpoint is vulnerable to reflected XSS through the customerVATNumber parameter, enabling attackers to execute arbitrary JavaScript in users' browsers via malicious links. The vulnerability requires user interaction and affects the confidentiality and integrity of victim sessions, with no patch currently available. The attack has low complexity and can impact multiple users if the vulnerable parameter is exploited in phishing or watering hole scenarios.

XSS A3factura
CVE-2026-2679 MEDIUM CVSS 6.1
A3factura's sales invoice endpoint is vulnerable to reflected XSS through the customerName parameter, enabling attackers to execute arbitrary JavaScript in users' browsers via a crafted link. This requires user interaction to trigger but affects all A3factura users on the vulnerable platform. No patch is currently available.

XSS A3factura
CVE-2026-2678 MEDIUM CVSS 6.1
Reflected XSS in the A3factura customer management interface allows unauthenticated attackers to inject malicious scripts through the name parameter, potentially enabling session hijacking or credential theft when victims click a crafted link. The vulnerability requires user interaction and affects the web application at wolterskluwer.es, with no patch currently available.

XSS A3factura
CVE-2026-2677 MEDIUM CVSS 6.1
A3factura's representatives management endpoint contains a reflected XSS vulnerability in the 'name' parameter that enables attackers to inject and execute arbitrary JavaScript in users' browsers through a crafted URL. An attacker can exploit this via social engineering to steal session tokens, manipulate account data, or perform unauthorized actions on behalf of the victim. Currently no patch is available for this medium-severity vulnerability affecting the Wolters Kluwer A3factura platform.

XSS A3factura
CVE-2026-2506 MEDIUM CVSS 6.1
Stored cross-site scripting in the EM Cost Calculator WordPress plugin up to version 2.3.1 allows unauthenticated attackers to inject malicious scripts through the customer name field, which execute when administrators access the customer list. An attacker can exploit this to steal admin credentials or perform unauthorized actions within the WordPress environment. No patch is currently available for this vulnerability.

WordPress XSS
CVE-2026-2499 MEDIUM CVSS 4.4
Stored XSS in the WordPress Custom Logo plugin through version 2.2 allows authenticated administrators to inject malicious scripts into admin settings that execute for other users. This affects multi-site WordPress installations and single-site setups where unfiltered_html is disabled, requiring high-privilege attacker access but enabling persistent script injection across affected pages.

WordPress Golang XSS
CVE-2026-2498 MEDIUM CVSS 4.4
Stored XSS in WP Social Meta plugin through 1.0.1 allows authenticated administrators to inject malicious scripts into WordPress admin settings that execute for all users viewing affected pages, impacting multi-site installations and configurations with disabled unfiltered_html. The vulnerability requires high administrative privileges and complex exploitation conditions, making practical attacks unlikely despite network accessibility.

WordPress XSS
CVE-2026-2489 MEDIUM CVSS 4.4
The TP2WP Importer plugin for WordPress contains a stored cross-site scripting vulnerability in the attachment importer settings that allows authenticated administrators to inject malicious scripts through the 'Watched domains' textarea due to inadequate input sanitization and output escaping. When other users access the affected settings page, the injected scripts execute in their browsers, potentially allowing administrators to perform unauthorized actions or steal sensitive data. The vulnerability affects all versions up to and including 1.1 with no patch currently available.

WordPress XSS
CVE-2026-2356 MEDIUM CVSS 5.3
Unauthenticated attackers can delete arbitrary user accounts on WordPress sites running the User Registration & Membership plugin through version 5.1.2 due to insufficient validation of the member_id parameter in the register_member function. This IDOR vulnerability specifically targets newly registered accounts marked with the urm_user_just_created meta flag. No patch is currently available.

WordPress
CVE-2026-2029 MEDIUM CVSS 6.4
Livemesh Addons for Beaver Builder (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS
CVE-2026-1698 MEDIUM CVSS 6.1
PcVue versions 15.0.0 through 16.3.3 are vulnerable to HTTP Host header injection in the WebClient and WebScheduler authentication endpoints, allowing unauthenticated remote attackers to manipulate server behavior and potentially conduct phishing or cache poisoning attacks. The vulnerability affects the /Authentication/ExternalLogin, /Authentication/AuthorizationCodeCallback, and /Authentication/Logout endpoints, with the ability to inject malicious payloads that could lead to information disclosure or data modification. Currently no patch is available for this medium-severity issue.

Code Injection Pcvue
CVE-2026-1697 MEDIUM CVSS 6.5
PcVue versions 12.0.0 through 16.3.3 lack Secure and SameSite cookie attributes in the GraphicalData web services and WebClient application, enabling attackers to intercept session cookies over unencrypted connections and perform cross-site request forgery attacks. This vulnerability affects organizations using the affected PcVue versions and could allow unauthorized actions on behalf of authenticated users. No patch is currently available for this medium-severity issue.

Information Disclosure Pcvue
CVE-2026-1696 MEDIUM CVSS 6.1
Pcvue's web server fails to set proper HTTP security headers in its responses, enabling cross-site scripting (XSS) attacks against users who interact with the application. An unauthenticated attacker can exploit this through a user interaction to execute malicious scripts, potentially compromising confidentiality and integrity. No patch is currently available.

XSS Pcvue
CVE-2026-1695 MEDIUM CVSS 6.1
Cross-site scripting (XSS) in PcVue's OAuth error page (versions 12.0.0-16.3.3) allows remote attackers to inject malicious scripts by tricking users into authenticating with a crafted client ID, potentially compromising the WebVue, WebScheduler, TouchVue, and SnapVue components. An attacker can exploit this to steal session tokens or perform actions on behalf of affected users. No patch is currently available.

XSS Pcvue
CVE-2026-1694 MEDIUM CVSS 4.3
PcVue versions 12.0.0 through 16.3.3 fail to remove default IIS and ASP.NET HTTP headers during deployment of WebVue, WebScheduler, TouchVue, and SnapVue features, allowing unauthenticated remote attackers to gather sensitive server configuration details through information disclosure. This vulnerability requires user interaction and has no available patch at this time.

Iis Dotnet Pcvue
CVE-2026-1692 MEDIUM CVSS 6.1
PcVue versions 12.0.0 through 16.3.3 lack origin validation on WebSocket connections in the GraphicalData service, enabling cross-site WebSocket hijacking attacks against authenticated users. An attacker can trick a logged-in user into visiting a malicious site to compromise the confidentiality and integrity of their PcVue session. No patch is currently available for this medium-severity vulnerability.

Information Disclosure Pcvue
CVE-2025-64999 MEDIUM CVSS 5.4
Improper neutralization of input in Checkmk versions 2.4.0 before 2.4.0p22, and 2.3.0 before 2.3.0p43 allows an attacker that can manipulate a host's check output to inject malicious JavaScript into the Synthetic Monitoring HTML logs, which can then be accessed via a crafted phishing link. [CVSS 5.4 MEDIUM]

XSS Checkmk
CVE-2025-56605 MEDIUM CVSS 5.4
A reflected Cross-Site Scripting (XSS) vulnerability exists in the register.php backend script of PuneethReddyHC Event Management System 1.0. [CVSS 5.4 MEDIUM]

PHP XSS
CVE-2026-28227 LOW CVSS 2.7
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, TL4 users can publish topics into staff-only categories via the `publish_to_category` topic timer, bypassing authorization checks. [CVSS 2.7 LOW]

Industrial
CVE-2026-27896 None
s standard encoding/json.Unmarshal for JSON-RPC and MCP protocol message parsing in versions up to 1.3.1. contains a security vulnerability.

Golang
CVE-2026-27887 None
Spin is an open source developer tool for building and running serverless applications powered by WebAssembly. When Spin is configured to allow connections to a database or web server which could return responses of unbounded size (e.g.

Denial Of Service
CVE-2026-27838 LOW CVSS 3.1
wger is a free, open-source workout and fitness manager. Five routine detail action endpoints check a cache before calling `self.get_object()`. [CVSS 3.1 LOW]

Authentication Bypass
CVE-2026-27830 None
c3p0, a JDBC Connection pooling library, is vulnerable to attack via maliciously crafted Java-serialized objects and `javax.naming.Reference` instances. Several c3p0 `ConnectionPoolDataSource` implementations have a property called `userOverridesAsString` which conceptually represents a `Map<String,Map<String,String>>`. Prior to v0.12.0, that property was maintained as a hex-encoded serialized object. Any attacker able to reset this property, on an existing `ConnectionPoolDataSource` or via m...

Java Deserialization
CVE-2026-27735 None
Model Context Protocol Servers is a collection of reference implementations for the model context protocol (MCP). In mcp-server-git versions prior to 2026.1.14, the git_add tool did not validate that file paths provided in the files argument were within the repository boundaries.

Python
CVE-2026-27153 LOW CVSS 2.7
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, moderators could export user Chat DMs via the CSV export endpoint by exploiting an overly permissive allowlist in `can_export_entity?`. [CVSS 2.7 LOW]

Authentication Bypass
CVE-2026-27152 LOW CVSS 3.8
Discourse is an open source discussion platform. [CVSS 3.8 LOW]

Authentication Bypass
CVE-2026-27151 LOW CVSS 2.7
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, the `move_posts` action only checked `can_move_posts?` on the source topic but never validated write permissions on the destination topic. [CVSS 2.7 LOW]

Industrial
CVE-2026-27150 LOW CVSS 3.8
Discourse is an open source discussion platform. [CVSS 3.8 LOW]

Authentication Bypass
CVE-2026-26979 LOW CVSS 2.7
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, TL4 users are able to close, archive and pin topics in private categories they don't have access to. [CVSS 2.7 LOW]

Industrial
CVE-2026-26227 LOW CVSS 3.7
VideoLAN VLC for Android prior to version 3.7.0 contains an authentication bypass in the Remote Access Server feature due to missing or insufficient rate limiting on one-time password (OTP) verification. The Remote Access Server uses a 4-digit OTP and does not enforce effective throttling or lockout within the OTP validity window, allowing an attacker with network reachability to the server to repeatedly attempt OTP verification until a valid user_session cookie is issued. Successful exploita...

Android Authentication Bypass
CVE-2026-23749 LOW CVSS 2.9
Golioth Firmware SDK version 0.19.1 prior to 0.22.0, fixed in commit 0e788217, contain an out-of-bounds read due to improper null termination of a blockwise transfer path. blockwise_transfer_init() accepts a path whose length equals CONFIG_GOLIOTH_COAP_MAX_PATH_LEN and copies it using strncpy() without guaranteeing a trailing NUL byte, leaving ctx->path unterminated. A later strlen() on this bu...

Denial Of Service
CVE-2026-23748 LOW CVSS 3.7
Golioth Firmware SDK version 0.10.0 prior to 0.22.0, fixed in commit d7f55b38, contain an out-of-bounds read in LightDB State string parsing. When processing a string payload, a payload_size value less than 2 can cause a size_t underflow when computing the number of bytes to copy (nbytes). The subsequent memcpy() reads past the end of the network buffer, which can crash the device. The condition is reachable from on_payload, and golioth_payload_is_null() does not block payload_size==1. A mali...

Denial Of Service
CVE-2026-23747 LOW CVSS 3.7
Golioth Firmware SDK version 0.10.0 prior to 0.22.0, fixed in commit 48f521b, contain a stack-based buffer overflow in Payload Utils. The golioth_payload_as_int() and golioth_payload_as_float() helpers copy network-supplied payload data into fixed-size stack buffers using memcpy() with a length derived from payload_size. The only length checks are guarded by assert(); in release builds, the asserts are compiled out and memcpy() may copy an unbounded payload_size. Payloads larger than 12 bytes...

Buffer Overflow Stack Overflow Denial Of Service
CVE-2026-2244 None
A vulnerability in Google Cloud Vertex AI Workbench from 7/21/2025 to 01/30/2026 allows an attacker to exfiltrate valid Google Cloud access tokens of other users via abuse of a built-in startup script. All instances after January 30th, 2026 have been patched to protect from this vulnerability.

Google
CVE-2026-1241 None
The Pelco, Inc. Sarix Professional 3 Series Cameras are vulnerable to an authentication bypass issue in their web management interface.

Authentication Bypass
CVE-2026-1198 None
SIMPLE.ERP is vulnerable to the SQL Injection in search functionality in "Obroty na kontach" window. Lack of input validation allows an authenticated attacker to prepare a malicious query to the database that will be executed.

SQLi
CVE-2025-11384 None
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. No vendor patch available.

Information Disclosure
CVE-2025-11383 None
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. No vendor patch available.

Information Disclosure
CVE-2025-11382 None
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. No vendor patch available.

Denial Of Service
CVE-2025-11381 None
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. No vendor patch available.

Information Disclosure
CVE-2023-31364 None
Improper handling of direct memory writes in the input-output memory management unit could allow a malicious guest virtual machine (VM) to flood a host with writes, potentially causing a fatal machine check error resulting in denial of service.

Denial Of Service

Today's Vulnerabilities Vulnerabilities